Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Some datacenter attacks may be characterized by the rapid use of zero-day (i.e., new or unpatched) or relatively recent vulnerabilities to compromise tens of thousands of customers before the vulnerabilities are patched. While a majority of the publicized compromises may be at web hosts, zero-day exploits have also been detected at datacenters. Some of these exploits may be fixed within days, others may take months, and professional hackers usually plan for the faster response by attempting to use a vulnerability to compromise thousands of targets (sites, users, accounts) as quickly as possible. As the market for cloud services grows, and cloud service providers massively expand their server count to accommodate customer demand, batch exploitation by hackers via zero-day attacks is likely to continue to be problematic. However, conventional intrusion detection systems may not be able to detect such zero-day attacks.
Another challenge with zero-day attacks is that they are not detected by conventional content or pattern scanning. Heuristic intrusion detection has been demonstrated in many environments, but typically generates so many false positives that it does not scale well and may require prohibitive staff levels for datacenter use. Additionally, heuristic detection may not detect command based hacks (session or terminal hacks), being more capable of network traffic based scanning.